Computer security, and particularly the security of data which resides on a computer system, remains an important aspect of computing. In this regard, recent computer architectures have implemented security features designed to preclude, or at least to inhibit, unauthorized users of the computer systems from accessing data that resides on a computer's storage media. For example, recent trusted personal computer architectures incorporate a trusted platform module (TPM) that offers various services useful for data protection.
Some operating systems have been adapted to utilize the services of a TPM to implement data protection schemes. For example, the Vista operating system available from Microsoft Corporation of Redmond, Wash., USA utilizes the TPM to protect the encryption key that is used to encrypt data stored on the computer's hard drive, a feature referred to as “Bit Locker” encryption. The Linux operating system includes a feature referred to as “the enforcer,” which uses the TPM to store the secret to an encrypted loopback file system.
At times it may be necessary to update the computer system's firmware, like the basic input/output system (BIOS), or the user may add an option card into a system which contains an option ROM component. In some circumstances, the above changes will result in changed PCR (Platform Configurations Register) values stored within the TPM upon next platform restart. This may prevent platform software subsequent to BIOS from decrypting previously encrypted data. This interference can render the data on the drive inaccessible to an authorized user of the system or may force the operating system to enter into recovery mode, where the user has to go through a series of inconvenient steps to allow the computer to start. These steps may include prompting the user to present an authentication token or a backup key stored on removable media. One procedure to update the firmware requires disabling Bit Locker, then updating the firmware and then re-enabling Bit Locker again. This exposes a window of vulnerability during the time Bit Locker is disabled.